Cyber Extortion: An Industry Hot Topic

Some traditional cyber-criminals have seemingly left the art of stealing credit cards and personally identifiable information (PII) for a simpler tactic – cyber extortion – where they use threats to demand victims’ money rather than steal it. While highly discussed, cyber extortion continues to gain traction as a multi-million-dollar criminal industry. Over the last year, state and local governments, along with law enforcement and healthcare organizations, have not evaded its path.

Exploring the Problem

Cyber extortion is the act of cyber-criminals demanding payment through the use of or threat of some form of malicious activity against a victim, such as data compromise or denial of service attack. Cyber extortion permeates actions such as ransomware, email ransom campaigns, and distributed denial of service (DDoS) attacks.


Since August 2015, ransomware infections have been leading the charge in cyber extortion with no foreseeable slowdown. Victims of ransomware are most commonly met with a demand to pay criminals the equivalent of $200 to $1,000 in bitcoin, although other currencies, gift cards, and ransoms of up to several thousand dollars are occasionally reported. Cyber-criminals realize that if they keep ransom demands small and establish a reputation for handing over decryption/access keys consistently, they can earn profits of tens of thousands of dollars per month.


Arrow Security Primer: Ransomware

Arrow Blog post: Ransomware: Facts, Threats, and Countermeasures

Arrow Blog post: 2016: The Year of Ransomware


Email-Based Extortion

Cyber extortion is also occurring via email-based ransom demands. With this tactic, recipients are told that their personal information will be released to their social media contacts, family, and friends if a ransom is not paid. The recipient is then instructed to pay in some form of currency (such as bitcoin) with an extremely tight deadline. Commonly reported ransom amounts range from approximately $250 to $1,200.

Reports also continue to surface from individuals who experienced email-based ransom threats. One example includes recent targeting of individuals who had data exposed by the high-profile data breach of the popular adult website Ashley Madison.

DDoS for Bitcoin

Throughout 2015 and 2016, email-based DDoS for bitcoin scams targeted a variety of industries. These emails often claimed to be originating from well-known hacktivist groups such as the Armada Collective or Lizard Squad, and demand that a ransom be paid or DDoS attacks will occur. However, our research has concluded that the most recent of these emails in 2016 were most likely not related to the groups mentioned. It is highly likely that the emails were originating from cyber-criminals using well-known cyber threat actor group names in an effort to legitimize their threats and scare recipients into responding. Sometimes these threats were preceded by low-level DDoS activity, and occasionally DDoS attacks were conducted if a ransom was not paid.

Last year, there was a DDoS for bitcoin campaign, and it is believed that the threats did in fact originate from the cyber threat actor group Armada Collective. However, open-source reporting suggests that if a ransom is not paid, long-term crippling DDoS attacks, if they occur, are sporadic and do not last for long periods of time. This suggests that cyber-criminals are likely looking for victims who are scared by the idea of not being able to access their systems in an attempt to make a quick buck from the threat alone.


Arrow Security Primer: Tech Support Call Scams

Arrow Blog post: Evolving Tactics of Tech Support Scams

Arrow Cyber Security Minute: Internet Phone Scams


Moving Forward

Regardless of the medium, cyber extortion will remain a persistent threat as long as criminals find it lucrative. As this multi-million-dollar enterprise continues to grow, raising awareness of cyber extortion tactics must be an industry priority.

While the most common tactics, techniques, and procedures involving extortion include delivery via email, or social engineering, organizations can start raising awareness by providing social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click links contained in such emails, not to post sensitive information online, and to never provide usernames and/or passwords in response to an unsolicited request. We also recommend companies remind employees to never reveal personal or financial information in response to an email. Legitimate organizations and financial institutions will never ask for this information in any email, solicited or unsolicited. If the message appears to be a phishing or spam email, it probably is. Employees should follow existing company policy for suspicious emails – where no policy exists, they should report the email to their IT department immediately and await further instruction.

IT professionals can help prevent the threat of ransomware by ensuring systems are using antivirus protection with the latest definitions, and that patching for all software is up-to-date. This will prevent infections by most malware.

Additionally, administrators and executives should familiarize themselves with CIS Controls – a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. Available free in PDF format, the CIS Controls framework is developed, refined, and validated by a community of leading experts from around the world. Organizations that apply just the first five CIS Controls can reduce their risk of cyber attack by around 85 percent.